'Deadly' vulnerabilities of public websites

On the occasion of suing HS Bui Minh Tri, people realized that the website of many agencies and government departments visited by hackers was not a little.

Security experts have warned many times that more than 80% of these websites have been hacked to 'watch and play' at least once to get information or change some parameters .

Security is very bad

QU, a student at Ho Chi Minh City University of Economics, said he often went to public websites to exploit information. According to QU, in most of these websites, those who hold administrative rights seem too negligent about security.

In the process of searching for information on the Internet, VTHung - a university lecturer in Ho Chi Minh City - accidentally discovered many websites of state agencies with SQL Injection errors, allowing hackers to have full access to the facility. data. From two years before he discovered the error, he sent a notification letter to the administrator and only received an automated reply that the recipient had received the email. Undeterred, he sent the letter again, only receiving silence. On December 26, 2006, when exchanging with Tuoi Tre on this issue, he tried to re-visit the website of the construction department in a Mekong Delta province.

Also on a corporation's website, a low level computer user can go straight to the admin section to add a new entry without a username and password.

He listed a list of more than 10 websites of the People's Committee and some local departments that he 'visited', and said that even though he is not good at security, he can easily 'walk' in the system. this page. With the consciousness of a citizen, every time he discovered the error he would still inform the administrator, but he was "sad for me and for them" when the warning seemed to fall into the void.

In mid-2004, when it was just established, a cyber security center warned a bank of the largest type in Vietnam of a serious security error that could help hackers gain control of the database system. With this error, specific information of accounts, details of transactions can be stolen. Immediately, the center sent a letter to the bank, introduced itself and offered to support the error free. However, it was only when the incident came to the State Bank and the police department to work to prosecute the director of this bank's informatics center about being irresponsible that the director contacted the official Network security center mentioned above by troubleshooting and the incident is kept private.

Vision hole

HB, director of software company P., commented that too many public websites were created and dropped, when the project ended, no one cared. Most public websites are developed on foreign platform software such as Windows Server, SQL Server, ASP.NET, PHP, MySQL . Many websites even use completely open source like Mambo, Plone , Rainbow . that the above platform software itself has a lot of errors. Hackers or security experts publish in the world every day and suppliers of products often make patches (patch, fix .) but public websites are not interested in care.

Meanwhile, the team of Vietnamese security experts is low, the awareness of users is not high, so there is no market. The website design companies themselves are mostly programmers, most of them have little knowledge and security awareness. Moreover, the contracting mechanism between the two parties is not tight, the product acceptance is considered to be terminated, there are no provisions on maintenance and security. While the majority of government executives are merely importing information, they don't go into the directory, see the code . to know if the hacker left a trace.

HONG NHUNG